moving code for modifying user roles into accounts.inc.php. Incomplete. Broken.

2010-10-07 22:02:45 +00:00 · 2010-10-07 22:02:45 +00:00 · 177f49f805
commit 177f49f805
parent fce116316e
4 changed files with 326 additions and 73 deletions
--- a/account.inc.php
+++ b/account.inc.php
@ -180,17 +180,179 @@ function account_set_email($accounts_id,$email) {
 	}
 }
-// add the necessary role to the account's user record for the specified conference
+// add the specified role to the account's user record for the specified conference
 // return true on success, false on failure
 function account_add_role($accounts_id, $roles_id, $conferences_id, $password = null){
-	// create the user if they don't exist
+	global $config;
-	// active = yes
+
-	// complete = no
+	// avoid injections
 	$accounts_id *= 1;
 	$roles_id *= 1;
 	$conferences_id *= 1;
 	$password = mysql_real_escape_string($password);
 	// make sure the specified id's actually exist
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM accounts WHERE id = $accounts_id"), 0) != 1){
 		return "invalidaccount";
 	}
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM roles WHERE id = $roles_id"), 0) != 1){
 		return "invalidrole";
 	}
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM conferences WHERE id = $conferences_id"), 0) != 1){
 		return "invalidconference";
 	}
 	// find out if this account has a user record for this conference
 	$data = mysql_fetch_array(mysql_query("
 		SELECT * FROM users
 		WHERE conferences_id = $conferences_id
 		AND accounts_id = $accounts_id
 	"));
 	if(is_array($data)){ 
 		// they do indeed have a user record for this conference.  Let's load it
 		$u = user_load($data['id']);
 		$users_id = $data['id'];
 	}else{
 		// They're not actually connected to this conference, let's hook 'em up
 		$u = user_create($accounts_id, $conferences_id);
 		$users_id = $u['id'];
 	}
 	// we now have the user id that we need, let's check to see whether or not they
 	// already have the specified role.
 	$roleRecord = mysql_fetch_array(mysql_query("
 		SELECT COUNT(*) FROM user_roles
 		WHERE conferences_id = $conferences_id
 		AND users_id = $users_id
 		AND roles_id = $roles_id
 	"));
 	if(is_array($roleRecord)){
 		// they already have this role.  shell_exec("man true");
 		return 'ok';
 	}
 	// see if this role conflicts with existing ones
 	if(!account_add_role_allowed($accounts_id, $conferences_id, $roles_id)){
 		return 'invalidrole';
 	}
 	// see if this role is a valid one for this conference
 	if(!array_key_exists($role . '_registration_type', $config)){
 		return 'invalidrole';
 	}
 	// get the type of the role (eg. "judge", "student", etc.)
 	$role = mysql_result(mysql_query("SELECT type FROM roles WHERE id = $roles_id"), 0);
 	// and let's see if we meet the conditions for the registration type
 	$error = "";
 	switch($config[$role . '_registration_type']){
 		case 'open':
 		case 'openorinvite':
 			// this is allowed.
 			break;
 		case 'singlepassword':
 			if($password != $config[$role . '_registration_singlepassword']){
 				$error = "invalidpassword";
 			}
 			break;
 		case 'schoolpassword':
 			if($password != null){
 				$schoolId = $u['schools_id'];
 				$schoolDat = mysql_fetch_assoc(mysql_query("SELECT registration_password FROM schools WHERE id=$schoolId"));
 				if(is_array($schoolDat)){
 					if($password == $schoolDat['registration_password']) $valid = true;
 					$error = "invalidpassword";
 				}
 			}
 			break;
 		case 'invite':
 			$error = 'invalidrole';
 			break;
 	}
 	if($error != ""){
 		return $error;
 	}
 	// *whew* all conditions have been met.  Let's go ahead and create the record
 	if(!mysql_query("INSERT INTO user_roles (accounts_id, users_id, roles_id, active, complete) VALUES($accounts_id, $users_id, $roles_id, 'yes', 'no')")){
 		return "mysqlerror:" . mysql_error();
 	}
 	// if we made it this far, the role was successfully added
 	return 'ok';
 }
 // find out if the specifed role can be added to this account at the specified conference
 function account_add_role_allowed($accounts_id, $roles_id, $conferences_id){
 	$returnval = true;
 	// avoid injections
 	$accounts_id *= 1;
 	$roles_id *= 1;
 	$conferences_id *= 1;
 	// get the roles for the specified account at the specified conference
 	$query = mysql_query("
 		SELECT * FROM user_roles
 		WHERE accounts_id = $accounts_id
 		AND conferences_id = $conferences_id
 	");
 	while($row = mysql_fetch_assoc($record) && $returnval){
 		switch($row['type']){
 			case 'student':
 				// Student cant' add any other role
 				$returnval = false;
 			default:
 				if($role == 'student') {
 					// No role can add the student role
 					$returnval = false;
 				}
 				// All other roles can coexist (even the fair role)
 				break;
 		}
 	}
 	return $returnval;
 }
 // remove the specified role from the account's user record for the specified conference
 // return true on success, false on failure
 function account_remove_role($accounts_id, $roles_id, $conferences_id){
 	// avoid injections
 	$accounts_id *= 1;
 	$roles_id *= 1;
 	$conferences_id *= 1;
 	// make sure the specified id's actually exist
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM accounts WHERE id = $accounts_id"), 0) != 1){
 		return "invalidaccount";
 	}
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM roles WHERE id = $roles_id"), 0) != 1){
 		return "invalidrole";
 	}
 	if(mysql_result(mysql_query("SELECT COUNT(*) FROM conferences WHERE id = $conferences_id"), 0) != 1){
 		return "invalidconference";
 	}
 	// very little error catching needed here.  If the role's there, we hopfully succeed in
 	// removing it.  If it's not, then we succeed in doing nothing
 	$data = mysql_fetch_array(mysql_query("
 		SELECT * FROM users
 		WHERE conferences_id = $conferences_id
 		AND accounts_id = $accounts_id
 	"));
 	if(is_array($data)){ 
 		// they do indeed have a user record for this conference.  Let's load it
 		$u = user_load($data['id']);
 		$roletype = mysql_result(mysql_query("SELECT type FROM roles WHERE id = $roles_id"), 0);
 		$user_remove_role($u, $roletype);
 	}
 	return 'ok';
 }
 /*
 */
 ?>
--- a/judge_other.php
+++ b/judge_other.php
@ -79,12 +79,14 @@ case 'save':
 	$u['highest_psd'] = stripslashes($_POST['highest_psd']);
 	user_save($u);
-	questions_save_answers("judgereg",$u['id'],$_POST['questions']);
+	if(is_array($_POST['questions'])){
 		questions_save_answers("judgereg",$u['id'],$_POST['questions']);
 	}
 	mysql_query("DELETE FROM judges_availability WHERE users_id='{$u['id']}'");
 	if(is_array($_POST['time']) ) {	
-		foreach($_POST['time'] as $x) {
+		foreach($_POST['time'] as $x => $blah) {
 			if(trim($times[$x]['starttime']) == '') continue;
 			mysql_query("INSERT INTO judges_availability (users_id, `date`,`start`,`end`) 
--- a/user.inc.php
+++ b/user.inc.php
@ -23,7 +23,7 @@
 */
 ?>
 <?
-
+include_once('account.inc.php');
 function user_valid_role($role)
 {
 	global $roles;
@ -234,15 +234,20 @@ function user_load_by_accounts_id_year($uid, $year)
 	return user_load($i['id']);
 }
-// activate the specified role for the specified user if they have that role
+// this depends on the naming convention that any given role that needs a completion check
-function user_activate_role($users_id, $roles_id){
+// will have a function called <role>_status_update, which updates their status with the
 // current session data and returns 'complete' or 'incomplete' accordingly.
 // I love the fact that this remark took more characters than the function.
 function user_check_role_complete($u, $role){
 	$func = $role . '_status_update';
 	if(function_exists($func)){
 		$result = $func($u); // that's right, func(u)!
 	}else{
 		$result = 'complete';
 	}
 	return $result;
 }
 // deactivate the specified role for the specified user if they have that role
 function user_deactivate_role($users_id, $roles_id){
 }
 function user_save(&$u)
 {
 	global $conference;
@ -254,8 +259,9 @@ function user_save(&$u)
 		return -1;
 	}
-	// Update all roles 
+	// Update all roles
 	$new_roles = array_keys($u['roles']);
 	/*
 	foreach($new_roles as $r) {
 		if($u['roles'][$r] != $u['orig']['roles'][$r]) {
 			// $u['roles'][$r] has changed from original, update it 
@ -265,6 +271,7 @@ function user_save(&$u)
 			echo mysql_error();
 		}
 	}
 	*/
 	$fields = array('salutation','firstname','lastname',
 			'phonehome','phonework','phonecell','fax','organization',
@ -321,6 +328,81 @@ function user_save(&$u)
 }
 // mark the role as complete if it's qualifications are met
 function user_complete_role($users_id, $role){
 	// avoid SQL injections
 	$role = mysql_real_escape_string($role);
 	$users_id *= 1;
 	// get the id of the role
 	$row = mysql_fetch_assoc(mysql_query("SELECT id FROM roles WHERE type = '$role'"));
 	if(!is_array($row)){
 		return false;
 	}
 	$roles_id = $row['id'];
 	// does this user have the given role?
 	$row = mysql_fetch_array(mysql_query("SELECT * FROM user_roles WHERE users_id = $users_id AND roles_id = $roles_id"));
 	if(!is_array($row)){
 		return false;
 	}
 	// ok, it's a valid role and the specified user has it.  Now let's see if we can mark it as complete
 	$user = user_load($users_id);
 	$result = user_check_role_complete($user, $role);
 	if($result == 'ok'){
 		return true;
 	}else{
 		return false;
 	}
 }
 // mark the role as being incomplete - not a verb sadly
 function user_uncomplete_role($users_id, $role){
 	// avoid SQL injections
 	$role = mysql_real_escape_string($role);
 	$users_id *= 1;
 	// get the id of the role
 	$row = mysql_fetch_assoc(mysql_query("SELECT id FROM roles WHERE type = '$role'"));
 	if(!is_array($row)){
 		return false;
 	}
 	$roles_id = $row['id'];
 	// and update said role for the given user id
 	return mysql_query("UPDATE user_roles SET complete = 'no' WHERE users_id = $users_id AND roles_id = $roles_id");
 }
 // activate the specified role for the specified user if they have that role
 function user_activate_role($users_id, $roles_id){
 	// Make sure the role is indeed there
 	$query = "SELECT * FROM user_roles WHERE roles_id = $roles_id AND users_id = $users_id";
 	$data = mysql_fetch_array(mysql_query($query));
 	if(!is_array($data)){
 		// can't be activated if you don't have it!
 		return false;
 	}
 	return mysql_query("UPDATE user_roles SET active='yes' WHERE users_id = $users_id AND roles_id = $roles_id");
 }
 // deactivate the specified role for the specified user if they have that role
 function user_deactivate_role($users_id, $roles_id){
 	// Make sure the role is indeed there
 	$query = "SELECT * FROM user_roles WHERE roles_id = $roles_id AND users_id = $users_id";
 	$data = mysql_fetch_array(mysql_query($query));
 	if(!is_array($data)){
 		// can't be deactivated if you don't have it!
 		return false;
 	}
 	return mysql_query("UPDATE user_roles SET active='no' WHERE users_id = $users_id AND roles_id = $roles_id");
 }
 function user_remove_role(&$u, $role)
 {
 	if(!array_key_exists($role, $u['roles'])) {
@ -502,46 +584,60 @@ function user_add_role_allowed(&$u, $role)
 }
-// Add a role for a user.  Return true on success, false on error
+// Add a role for a user.
-function user_add_role(&$u, $role, $password = null)
+// now just a skin on top of account_add_role
-{
+function user_add_role(&$u, $role, $password = null){
 	$row = mysql_fetch_assoc(mysql_query("SELECT conferences_id FROM users WHERE id = " . $u['id']));
 	if(!is_array($q)){
 		return 'no conference';
 	}
 	$conference_id = $q['conferences_id'];
 	$result = account_add_role($u['accounts_id'], $roles[$role]['id'], $password);
 	if($result == 'ok'){
 		$u['roles'][$role] = array('active' =>'yes', 'complete' => 'no');
 	}
 	return $result;
 /*
 	global $config, $roles;
 	if(!user_add_role_allowed($u, $role)) {
-		/* If we get in here, someone is hand crafting URLs */
+		// If we get in here, someone is hand crafting URLs 
-		echo "HALT: invalid role add specified for operation.";
+		return "invalid role for specified user";
 		return false;
 	}
 	// ensure that this role can indeed be added
-	$valid = false;
+	$error = null;
 	if(array_key_exists($role . '_registration_type', $config)){
 		switch($config[$role . '_registration_type']){
 			case 'open':
-				$valid = true;
+			case 'openorinvite':
 				// nothing to do for these
 				break;
 			case 'singlepassword':
-				if($password == $config[$role . '_registration_singlepassword']){
+				if($password != $config[$role . '_registration_singlepassword']){
-					$valid = true;
+					$error = "invalid password";
 				}
 				break;
 			case 'schoolpassword':
-				if($pasword != null){
+				if($password != null){
 					$schoolId = $u['schools_id'];
 					$schoolDat = mysql_fetch_assoc(mysql_query("SELECT registration_password FROM schools WHERE id=$schoolId"));
-					if($password == $schoolDat['registration_password']) $valid = true;
+					if(is_array($schoolDat)){
 						if($password == $schoolDat['registration_password']) $valid = true;
 						$error = "invalid password";
 					}
 				}
 				break;
 			case 'invite':
-				//$valid = false;
+				$error = 'invite only';
 				break;
 			case 'openorinvite':
 				$valid = true;
 				break;
 		}
 	}else{
 		$error = 'invalid role';
 	}
-	if(!$valid){
+	if($error != null){
-		return false;
+		return $error;
 	}
 	// ok, the conditions are met, make sure they don't already have this role
@ -556,11 +652,12 @@ function user_add_role(&$u, $role, $password = null)
 		if(mysql_query($q)){
 			$u['roles'][$role] = array('active' =>'yes', 'complete' => 'no');
 		}else{
-			return false;
+			return "error creating record";
 		}
 	}
-	return true;
+	return 'ok';
 */
 }
 function user_create($accounts_id, $conferences_id=0)
@ -593,12 +690,6 @@ function user_create($accounts_id, $conferences_id=0)
 		}
 	}
 	/* No data available on the old user records, let's try getting it from the account then */
 	$results = mysql_fetch_assoc(mysql_query("SELECT * FROM accounts WHERE id ='$accounts_id'"));
 	if(is_array($results)){
 		$fields['username'] = $results['username'];
 	}
 	/* Create the user */
 	$fieldList = array_keys($fields);
 	$query = "INSERT INTO users(`created`, `" . implode('`,`', $fieldList) . "`) VALUES(NOW(), '" . implode("','", $fields) . "')";
--- a/user_main.php
+++ b/user_main.php
@ -1,4 +1,4 @@
-<?
+<?php
 /* 
   This file is part of the 'Science Fair In A Box' project
   SFIAB Website: http://www.sfiab.ca
@ -26,21 +26,24 @@ require_once("common.inc.php");
 require_once("user.inc.php");
 user_auth_required();
-// grab data for the available role types
+// find out if this user actually is in this conference
-$roleDat = array();
+$query = "SELECT COUNT(*) FROM users WHERE conferences_id = {$_SESSION['conferences_id']}"
-$q = mysql_query("SELECT * FROM roles");
+	. " AND accounts_id = " . $_SESSION['accounts_id'];
-while($row = mysql_fetch_assoc($q)){
+$data = mysql_fetch_array(mysql_query($query));
-	$roleDat[$row['type']] = array(
+if($data[0] == 0){
-		'id' => $row['id'],
+	// They're not actually connected to this conference, let's hook 'em up
-		'name' => $row['name']
+	$u = user_create($_SESSION['accounts_id'], $_SESSION['conferences_id']);
-	);
+	$_SESSION['users_id'] = $u['id'];
 }
 $u = user_load($_SESSION['users_id']);
 if(array_key_exists('action', $_GET)){
 	switch($_GET['action']){
 		case 'register':
-			register_new_role();
+			$role = $_POST['role'];
 			$result = account_add_role($u['accounts_id'], $roles[$role]['id'], $_SESSION['conferences_id'], $_POST['password']);
 			echo $result;
 //			register_new_role();
 			break;
 		case 'draw_roles':
 			draw_roles();
@ -101,6 +104,7 @@ send_header("Main Page", array());
 				'password' : $('#' + role + '_password').val()
 			},
 			function(result){
 				alert(result);
 				$('#roles').load('user_main.php?action=draw_roles');
 			}
 		);
@ -150,9 +154,6 @@ echo "<br />";
 echo i18n('Other Options and Things To Do').':<br />';
 echo '<ul>';
 echo '<li><a href="user_edit.php">'.i18n('Change Password').'</a> - '.i18n('Change your email, username, and password').'</li>';
 echo '<li><a href="user_edit.php">'.i18n('Activate/Deactivate Roles').'</a> - '.
 	i18n('Activate/Deactiate/Remove/Delete roles or your entire account').
 	'</li>';
 echo '<li>'.i18n('To logout, use the "Logout" link in the upper-right of the page').'</li>';
 echo '</ul>';
@ -240,7 +241,7 @@ function draw_roles(){
 function draw_signup_form($type){
 	global $config;
-	global $roleDat;
+	global $roles;
 	switch($type) {
 		case 'volunteer':
 			$reg_open = user_volunteer_registration_status(); 
@ -285,9 +286,9 @@ function draw_signup_form($type){
 				break;
 			case 'singlepassword':
 				echo '<p>';
-				echo i18n("{$roleDat[$type]['name']} Registration is protected by a password.  You must know the <b>{$roleDat[$type]['name']} Registration Password</b> in order to create an account.  Please contact the committee to obtain the password if you wish to register.");
+				echo i18n("{$roles[$type]['name']} Registration is protected by a password.  You must know the <b>{$roles[$type]['name']} Registration Password</b> in order to create an account.  Please contact the committee to obtain the password if you wish to register.");
 				echo "</p><p>";
-				echo i18n("{$roleDat[$type]['name']} Password").":<input type=\"password\" size=\"20\" id=\"{$type}_password\" />";
+				echo i18n("{$roles[$type]['name']} Password").":<input type=\"password\" size=\"20\" id=\"{$type}_password\" />";
 				echo "<button onclick=\"register('" . $type . "');\">Register</button>";
 				echo "</p>";
 				break;
@ -304,20 +305,12 @@ function draw_signup_form($type){
 				echo "Unhandled registration mode: $reg_mode";
 		}
 	}else{
-		echo i18n("{$roleDat[$type]['name']} registration is not open");
+		echo i18n("{$roles[$type]['name']} registration is not open");
 	}
 /*
 	echo "<hr/>\$reg_mode = $reg_mode<br/>";
 	echo "\$reg_open = $reg_open<br/>";
 	echo "<pre>";
 //	print_r($config);
 	echo "</pre>";
 */
 }
 function register_new_role(){
-	global $config, $roleDat, $u;
+	global $config, $roles, $u;
 	$password = $_POST['password'];
 	$uid = $_SESSION['users_id'];
 	$roleId = $_POST['role'];
@ -359,7 +352,7 @@ function register_new_role(){
 	// ok, they meet the conditions to register for this role
 	// see if they're already registered for it
-	$role_index = $roleDat[$role]['id'];
+	$role_index = $roles[$role]['id'];
 	$query = "SELECT COUNT(*) FROM user_roles WHERE users_id = $uid AND roles_id=$role_index";
 	echo $query;
 	$results = mysql_fetch_array(mysql_query($query));
@ -367,6 +360,11 @@ function register_new_role(){
 		return false;
 	}
-	user_add_role($u, $role, $password);
+	if(user_add_role($u, $role, $password)){
-	user_save($u);
+		$_SESSION['roles'][] = $role;
 		user_save($u);
 		return true;
 	}else{
 		return false;
 	}
 }